Nexus Intelligence Insights: What’s in a Ghostcat? CVE-2020-1938 Apache Tomcat – Local File Inclusion Potentially Leads to RCE

For this month’s Nexus Intelligence Insights, let’s dive deep into the popular Ghostcat vulnerability making headlines recently.

This vulnerability deserves attention as it impacts the widely used Apache Tomcat web server, has at least 5 exploits publicly available on GitHub and ExploitDB, and has a rather simple, yet overlooked, root cause. In fact, no version of Tomcat released in the last 13 years is immune to Ghostcat, unless properly patched.

The vulnerability, left unresolved, could pave an easy way for attackers to access arbitrary files on the server. The files may very well divulge sensitive information such as proprietary source code, stored passwords, API tokens, etc. More advanced PoCs can let malicious actors cause even further damage by remotely executing code on the system and planting backdoors, if they are able to get their hands on juicy bits of information.

What’s more? “Mass scanning activity targeting this vulnerability has already begun,” according to Bad Packets and evident from Shodan, thereby prompting immediate attention and a speedy remediation of this issue.

Vulnerability Identifier(s): CVE-2020-1938 (aka CNVD-2020-10487)

Type of Vulnerability: CWE-20 / Improper Input Validation leading to Local File Inclusion.


CVSS 3.1 Score: 9.8
CVSS 3.1 Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected components:
as present in Maven Central

Vulnerable version ranges:

[9.0.0.M1, 9.0.31),
[8.0.0-RC1, 8.5.51),
( , 7.0.100)

The Nitty Gritty and Attack Mechanics

Dubbed CVE-2020-1938, CNVD-2020-10487 and informally “Ghostcat,” the vulnerability occurs due to AJP protocol support in Tomcat being enabled by default.

As is standard practice, most web server programs provide for a variety of protocols to be supported and make this possible by keeping several ports open by default, and by constantly “listening” (Read more…)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Akshay ‘Ax’ Sharma. Read the original post at: